[Splunk] SIEM Enrichment with the Enforcement Center

While we have the Splunk TA that can pull data from Axonius to Splunk, we can also use the Enforcement Center to push data from Axonius to Splunk. Let’s review how to accomplish this.

With this action, we can send asset information to your SIEM, enriching notable events with asset information that can provide more context to your SOC. This can be used to dynamically set the severity of an event based on the type of device and security controls present.

For example, your firewalls may detect source and destination IP addresses of an incoming IDS/IPS alert, but it doesn’t natively know if these are managed devices and if they have the appropriate security tools. We can enrich your SIEM with advanced device context from Axonius to help raise critical events for IDS alerts where the destination address is behind an externally facing load balancer and or doesn’t have an EDR solution installed. More details around how you can accomplish this with Splunk specifically can be found here:

https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/assetandidentityframework

Prerequisites

Review this community post for how to configure HTTPS log settings in Axonius for Splunk

Sending HTTPS Log Server with the Enforcement Center

I’ll use a saved query with one device and some of its preferred fields.

We’ll be using the Send to HTTPS Log Server Enforcement Center action.

While the Authorization header is marked optional, please include the header from our HTTPS Log Settings here in the following form:

Splunk bd8c4fa2-15f8-4fe5-82ff-aeeec0412d3e

As for the Description, this is only sent if Send result data is disabled. More of the run’s metadata will be included if we enable Add default incident description.

This configuration will produce the following logs (also including the records sent from the HTTPS Logs Settings in our Global Settings)

If we update the action to Send result details, we will get the following results:

Note that the columns specified in the saved query are sent to Splunk.

 

Let us know if you have any questions. Cheers!

 
0

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post